Whoever enters your mobile will get much more information about you than registering your home. Both on a physical level (real-time location, travel history, hours of sleep) and on a social level (with whom you see and for how long, what you talk about, who are your friends and family) or even on the mental (tastes, hobbies, political ideas). Our pocket computers are also an access point to any valuable document (medical, financial or employment data, personal photos and videos, work files). Everything we do today goes through these devices. That is why we are terrified that someone could snoop on them without our consent. “Mobile phones are Stalin’s dream,” says Richard Stallman, father of the software free and living legend for many programmers.
That dream takes on full meaning thanks to sophisticated shows like Pegasus, the flagship product of Israel’s NSO Group. According to a journalistic investigation, this software espionage, or spyware, has infiltrated the mobile phone of the presidents of France, Emmanuel Macron, or of Mexico, Andrés Manuel López Obrador, among others. In Spain he was already known for having sneaked into the mobiles of some Catalan politicians during the process. The richest man in the world, Jeff Bezos, has been able to walk through space, but not to avoid the scrutiny of this show.
Pegasus is designed to get into other people’s phones without their owner noticing (as a Trojan when clicking on a link or, on other occasions, unknowingly downloading it when entering a certain website) and manipulate them from within. You can take screenshots, transmit the data contained in the device, alter and modify communications and activate the microphone or the camera. All remotely and without raising suspicions.
A varied arsenal
Not even Pegasus is a spyware Neither sole nor NSO is the company that controls this business. What other tools are there on the market and what are they capable of? Impossible to know from official sources. Aware of this, members of Privacy International, a British NGO that ensures the non-invasive use of technology, attended dozens of military fairs held in 37 countries in Europe, the Middle East and Asia to collect information on cyber weapons directly from the manufacturers. To achieve this they posed as potential buyers, although it must not have been easy to enter an industry so jealous of the unknown. “I cannot comment on that,” Ilia Siatitsa, a researcher for the organization, responds politely.
The result of this field work is one of the most complete reports out there about these tools, with a record detailing about 1,500 different products. They classify them into 11 categories, ranging from location trackers or digital activity trackers to audio recording systems or software. hack of mobiles of the Pegasus type.
The United States, Israel, the United Kingdom, Germany and Italy are the countries with the most companies in this controversial sector, according to the data handled by Privacy International, which have barely had access to material from Russia or China (it is assumed that they also will be important in this business). “There is no international regulation that affects this type of gadget. They are used completely opaque. NSO, for example, says that it only sells to governments, but we cannot confirm this, ”explains Siatitsa. The organization you work for has long campaigned for these gadgets to be banned. Already in 2013 it revealed that a software of the British firm Gamma Group, capable of infiltrating a computer and monitoring its communications, had been used by the Governments of Ethiopia or Bahrain to locate and attack political opponents.
The unscrupulousness of the producers of these systems is proven. Azerbaijan, United Arab Emirates or Saudi Arabia are known to be regular consumers. And that they use these tools to persecute and assassinate dissidents, as the case of Saudi journalist Jamal Khashoggi shows.
Not all technology capable of accessing a mobile works in the same way. “On one side is the software of mobile forensics, the one used by the police when they have to enter a device and do not need to do it remotely, and on the other are the companies that produce surveillance technology ”, highlights Javier Ruiz, researcher at the Ada Lovelace Institute of London. The second category would include, for example, search engines that are dedicated to setting off an alarm every time a user types suspicious words (child pornography, terrorism, etc.). In a third rung are programs such as Pegasus, which are directly dedicated to to hack mobiles.
To achieve this, these systems take advantage of vulnerabilities detected by hackers in operating systems. They are called exploits. It is known, for example, that the French Vupen sell exploits to intelligence agencies like the NSA. The most talented hackers are capable of discovering vulnerabilities unknown even by the developer himself (zero day exploits). Its black market value can reach hundreds of thousands of dollars. Stuxnet, the cyber attack organized by the US and Israel against Iranian nuclear power plants, used four zero day exploits.
The Snowden Tsunami
That the States use the most advanced technology of the moment to spy is not news. During the Cold War, wiretaps were part of the routine for security forces in much of Europe. The sophistication of the methods and especially the digitization of our lives made this work easier and easier. The 2013 Edward Snowden leaks were a worldwide wake-up call about the scale and systematization of wiretapping. “Not only did they show that the NSA had an extensive espionage program with its own technology, but that it used it against its own allies, such as Angela Merkel,” recalls Andrés Ortega, a researcher at the Elcano Royal Institute.
The systems used then were simpler and only allowed to listen to conversations, but their usefulness was enormous for the secret services. So much so that, according to this analyst, the intelligence services are not very interested in talking about how easy it is to enter other people’s mobiles precisely in order to continue doing their work. Large companies also participate in this game, mainly to obtain information on contract negotiations or for industrial espionage. “For about $ 500 you can buy systems to tap mobile phones with relative ease,” says Ortega.
Recent leaks from the use of Pegasus reveal that even the tsunami triggered by Snowden did not stop systematic eavesdropping. “In some cases, the forces of order and intelligence must be able to use these tools to enter the mobiles of criminals. But we should make sure they are not used lightly, “says Diego Naranjo, political advisor to EDRI, a pan-European NGO working to defend human rights in the digital age. “You have to develop powerful international regulations, such as prohibiting companies from being able to store and sell zero day exploits”.
In Spain, to tap a mobile you need a judicial permit. In other countries, such as the United States or the United Kingdom, this is also required, although only if the listening is done within the own borders. Outside the country itself, controls are more lax.
Who is safe?
Is it necessary to resort to programs as sophisticated as Pegasus to enter someone else’s mobile? The answer is no. “You can do a lot of things to an average user when you carry an Android, either by exploiting a vulnerability or through social engineering,” explains Deepak Daswani, hacker and cybersecurity expert. Apple’s operating system, iOS, offers more guarantees because it has more control measures over the applications that one downloads.
There are coded telephones, prepared by the CNI, which are more difficult to to hack: They are encrypted from end to end. In Spain they are held by senior government officials. But many ministers stop using them because they sound bad and are slower, according to a source familiar with these processes. That quest for comfort may have been Pegasus’s front door on one of President Macron’s phones.
Getting rid of the smartphone does not eliminate the problem: entering a computer is just as simple as accessing a mobile. We can only trust that the surveillance tools are used correctly. “Just as there are treaties to prohibit the use of nuclear weapons or cluster bombs, I think there should be them for the cyber weapons: they are too dangerous for democracy. A company like NSO should not be able to exist ”, reflects Carissa Véliz, Professor of Philosophy at the University of Oxford and an expert in privacy. Until then, Stalin will be able to continue dreaming of a smile from ear to ear.